Mozilla Developers Respond to Malware

An anonymous reader writes "Last week's well- publicised (and quickly fixed) security hole in Mozilla, Firefox and Thunderbird reminded the Slashdot faithful that Mozilla is not invincible and that it is now big enough for malware (virus and spyware) authors to target. MozillaZine has a short article on this topic, looking at the rise in attacks aimed at Mozilla and how the developers are responding."

Mozilla "innovation" reaches new low?

[Allen+Zadr]

I'm quite happy to see that the Mozilla team is pro-active in fixing the bugs that could allow MalWare to install unchecked.

Yet, a base Mozilla 1.7 downloaded right after release will have this issue for a very long time. This situation is worse, in one big way, than the Internet Explorer issues; Mozilla users 'feel' safe. Non-techies that use Mozilla assume it's 'safe' because a geek once told them that this is the case.

I've been an Open Source supporter for quite a long while, but the days of relative desktop safety for F/OSS cross-over users is coming to a close.

And, I'm probably not the only one who "shivers", when reading, "... almost a carbon copy of the new Internet Explorer Information Bar ..."

There's no way to defend that.

Re:Mozilla "innovation" reaches new low?

[TopShelf]

Non-techies that use Mozilla assume it's 'safe' because a geek once told them that this is the case.

For such users, they need to be taught that there is no such thing as truly "safe" browsing. The only "safe" choice is abstinence.

*then watch as they slip a condom over their mouse and hope for the best*

Re:Mozilla "innovation" reaches new low?

[sigaar]

"This situation is worse, in one big way, than the Internet Explorer issues; Mozilla users 'feel' safe. Non-techies that use Mozilla assume it's 'safe' because a geek once told them that this is the case."

Non-techies using IE, like my mother, feel safe too, just because Microsoft said it's OK. Such a big company with so many users can't be wrong, after all.

Despite the fact that her computer's gotten infected a couple of times already. Despite the fact that she refuses to do her Windows update (it takes so damn long over the modem). Despite the fact that her son (me) who works for an IT security company, have told her repeatedly not to use IE, and have made sure that she always has the latest Mozilla/FireFox and Opera installed.

On a slightly different but related topic. I am not a programmer, so this is just a guess. The same vulnerability that was discovered in Firefox and Mozilla, was discovered in IE too. Would the fact the vulnerability in Firefox and Mozilla only affected the Windows 2000/XP versions, and not the ones on other platforms, suggest that it might have been a vulnerability in windows rather than Mozilla? Sure, preventitive maintainance on Mozilla's side would prevent it from being expoited.

I just find it to be a bit like mopping the floor because the bathtub is overflowing, instead of closing the tap.

Re:Mozilla "innovation" reaches new low?

[Finuvir]

Would the fact the vulnerability in Firefox and Mozilla only affected the Windows 2000/XP versions, and not the ones on other platforms, suggest that it might have been a vulnerability in windows rather than Mozilla?

Yes. The flaw was that Mozilla handled the protocols it knew and passed all unknown protocols to the OS to handle. Windows was (is) all too happy to launch programs with the shell protocol.

Re:Mozilla "innovation" reaches new low?

[t1m0r4n]

The Mozilla team isn't proactive on security issues. The dangers of Windows URL schemes have been known to the Mozilla team since mid-2002

I said last time around I said if I heard this comment one more time I would scream, and, well, I just scared my poor dog. Who the heck is this "Mozilla team" you are insulting? Last time I checked mozilla source code was readily available to you. Patch it. Done. If someone "official" doesn't want to include it in the nightly build, too bad. Put up a little website at geocities.com/securemozilla and post a message on your geek board of choice.

Such is the burden of open source. You can't complain about the coding choice of another person if you are lazy and/or stupid. I don't see it as a failure of the Mozilla team, but a failure of Windows users who were too lame to fix it themselves.

Re:Mozilla "innovation" reaches new low?

[ajs]

Actually, you should look at the link (though you have to copy/paste it because Bugzilla is refusing connections that have a Slashdot URL as referer). The bug was reported by someone who wrote, tested and bug-fixed a patch. Two years later (TWO YEARS) someone from the Mozilla Team (and by that, I mean people with control over the released source) said that they thought it wasn't a good idea. A few months later the exploits were "discovered".

This whole incident is a huge black-eye for Open Source's theory of many eyes. The eyes saw. The fingers fixed. The brain ignored.

PS: I am still an open source advocate and I still believe in the many-eyes theory of security, but this incident shows that we cannot be abolutely confident in that theory producing better results that proprietary solutions.

the interesting thing

[koan]

Will be how fast the community can fix these types of issues compared to M$'s response time.
I think we all know that whatever is the popular software is what will be targeted so the big difference maybe how it's responded to.

IE

[shackma2]

It wasnt just Mozilla Firefox and the like.

Some microsoft products were affected also.

Re:IE

It wasnt just Mozilla Firefox and the like.

And there's the rub. As was reported before, the problem with Mozilla was only on Win32 platforms. Then, it comes out that MSN IM and Word are also affected with this problem. So, truly the bug lies in Windows. Why this point isn't getting more press, I am not sure, but it really should.

missiles

[foxhound01]

this is precisely the reason the Firefox was equipped with thought guided missiles...to destroy unseen threats.

It was a Windows flaw, not a Mozilla flaw

[dtjohnson]

It was widely reported that a flaw was found in 'Mozilla' which was not correct. The flaw was in the Shell: protocol on Windows. That's why the alleged 'flaw' in Mozilla did not exist on non-Windows platforms. The only 'flaw' in Mozilla was its failure to block the use of the shell: stuff on Windows (which the patch now does).

Re:not so fast of a fix

[it0]

Wasn't it also that it was a shell bug in win2k/xp that actually only was an OS bug, that MS didn't fixed so they eventually did it?

This will be the true test.

[Schezar]

As Mozilla browsers become more popular, and thus face credible threats on the scale that IE has been facing, this may well be the breaking point for OSS in general.

Business types are afraid of OSS mostly for the fact that it's "unsupported." To them, support doesn't mean having developers on hand to fix problems so much as it does having someone to blame when things go wrong. As long as someone else is fiscally responsible for their technology problems, their customers/shareholders are happy.

They won't admit to believing the above, but it's true: I have first hand experience with it. They'll say that they need the support to protect them from threats and vulnerabilities. They cite Microsoft's patches and updates as proof that the support is useful. They claim that OSS is only safer because no one targets it, and thus the threats aren't as severe. They don't believe any of that, but it's what they use to rationalize their decisions.

If Mozilla continually and expertly deals with these vulnerabilities, that argument will fall flat. They'll either have to admit just what they're -actually- paying for when they claim "support," or they'll at least begin to look into OSS alternatives.

At least, that's what I hope ^_~

Re:not so fast of a fix

Wrong, generic bug about potentially hazardous protocol handlers was opened in 2002, and framework for dealing with them was created.

The specific shell: protocol was pointed out as maybe dangerous one day before it was fixed (with just a configuration change, because that framework was already there).

Very quickly fixed.

Re:not so fast of a fix

[That's+Unpossible!]

No, the bug was in Windows XP's handling of the shell: protocol. It can be exploited to run arbitrary code. When this was found out, Mozilla team released a patch to prevent shell: protocol links from working, cutting off access to the real culprit in Windows, which won't be fixed until SP2 for XP.

The 'bug report' opened at Mozilla in 2002 was essentially trying to deal with the way Mozilla handles unknown protocols. The normal way was just to pass them to the OS.

E.g. since aim: isn't recognized by Mozilla, an aim: link would be passed to the OS, and if you had AOL IM installed, it would have registered to handle that protocol. (Often used to install a new "buddy icon.")

I believe Mozilla is now going to allow you to let certain protocols through, instead of allowing all.

So it's QUITE a stretch to say that this exploit bug we're talking about is (a) in mozilla, and (b) around since 2002.

Ignorant developers

[gr8_phk]

The software should not allow a web site to initiate any action on the client side. Security 101 here people. Opening files using the default application is pushing the limit. Allowing the site to specify what you run was just plain stupid. The Mozilla team should not just disable that feature by default, but should remove it entirely. There are work arounds for the small fraction of users who have a legitimate use for that.

IMHO, desktops (GNOME, KDE) are crossing the line and even X itself has some "features" that may lead to exploits if developers aren't careful - remember the window manager is just a program that can actually control other programs on the machine. No application should ever tell another what to do based on untrusted data, that's reserved for the user (clicking a link doesn't count as approval - the link may not do what it claims).

When you add a feature, consider what a criminal might use it for and who the burden will land on to prevent it. With shell: the burden lands on any application you might possibly launch and that's just unacceptable. With a window manager, consider that I may want to offer my display server to some untrusted application (airline reservation system) running on a remote machine - great possibilities and a great security risk. Because so much is accessible through X we don't use it that way.

I'm rambling now trying to gather too many thoughts in too little time.

Re:Handling a full court press?

[argent]

I don't believe OSS has ever encountered the concentrated, unrelenting targeting Microsoft has to endure.

You're mistaken in your belief.

People argue that Microsoft's getting unfairly blamed becauise they're the majority of the targets. And yet in areas where they haven't been the primary target they have still often had a significantly larger number of exploits for extended periods of time.

For example, for years IIS had a consistent 30% share in the webserver market, yet over the same period IIS served the vast majority of defaced websites.

NOT just a Windows/Mozilla problem

[for_usenet]

Folks - this is not just a Mozilla/Windows problem. Just a few short weeks ago, a lot of noise was made about a very similar URI exploit on Mac OS X, both through any browser that runs on OS X (noise was made about Safari, and I verified that the exploit was also present in Camino) and OS X's help system.

Because of the seemingly general nature of this type of exploit - why are we letting browsers run code ?? The web SHOULD primarily be to exchange information (text, images, audio, video). Why are we allowing remote program execution?